#meta 2017-07-17

2017-07-17 UTC
tantek, eli_oat, j12t, [miklb], sl007, [ciudadanob], [pfefferle], Lucaconti, fferf, [shanehudson], eli_oat1 and [chrisaldrich] joined the channel
#
Zegnat
What is IndieAuth?
#
Loqi
IndieAuth is a way to use your own domain name to sign in to websites — it's like OpenID, but works with services you likely already use, and is much easier to setup https://indieweb.org/IndieAuth
#
Zegnat
That description (“works with services you likely already use”) seems to suggest IndieAuth must include RelMeAuth in some way?
#
schmarty
Zegnat: good catch - IndieAuth-the-protocol doesn't require RelMeAuth
#
schmarty
but I would argue that IndieAuth.com relies primarily on RelMeAuth
#
aaronpk
indieauth.com is mostly an abstraction around relmeauth
j12t joined the channel
#
schmarty
maybe ben would donate thatmustbe.me to rename indieauth.com
eli_oat and [chrisaldrich] joined the channel
#
Zegnat
schmarty, it depends if we want IndieAuth-the-building-block to include RelMeAuth or not. We write its definition so it is up to us.
#
Zegnat
I think deciding the scope of what is IndieAuth would help greatly for rewriting the wiki page to be more focused.
#
aaronpk
i've been imagining the OAuth 2 extension spec being named IndieAuth, but am realizing that most people think of IndieAuth as the part that lets you authenticate with twitter/github/etc
#
schmarty
Zegnat: my understanding of IndieAuth-the-protocol is that it only requires authorization endpoint for identification, token endpoint for authorization. indieauth.com is an implementation of that which wraps RelMeAuth.
#
sknebel
what is IndieAuth-the-building-block and how does it relate to Indieauth-(.com)-the-service and Indieauth-the-protocol? :P
#
Loqi
It looks like we don't have a page for "IndieAuth-the-building-block and how does it relate to Indieauth-(.com)-the-service and Indieauth-the-protocol" yet. Would you like to create it?
#
sknebel
I'd follow schmarty's definition
#
Zegnat
Reading that definition though: “token” for “authorization” and “authorization” for “identification”. </3
j12t joined the channel
#
schmarty
Zegnat: that confuses me as well. "authentication-endpoint" makes more sense to me.
#
Zegnat
The endpoint also supplies scope tokens for authorisation. It is multipurpose.
#
Zegnat
The token endpoint is just incharge of then exchanging those for actual-real-access-tokens
#
schmarty
ahh, so token endpoint is just the code-to-token conversion step for oauth2?
eli_oat1 joined the channel
#
Zegnat
IndieAuth is the protocol that allows discovery for an authentication endpoint (and optionally a token endpoint) on any URL, allowing you to sign-in with a URL of your choosing.
#
Zegnat
Though do the IndieAuth authentication and token endpoint follow the oauth2 endpoints exactly? I seem to recall not, which means the two endpoints would also be specced by the IndieAuth protocol?
[miklb] joined the channel
#
aaronpk
OAuth core doesn't specify discovery, but there is an extension spec for that
#
aaronpk
although it's discovery of the endpoints after you already know the authorization server https://tools.ietf.org/html/draft-ietf-oauth-discovery-06#section-2
#
aaronpk
i guess openid connect discovery is the analogous thing, which uses webfinger http://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery
#
Zegnat
Yeah, the discovery is definitely what makes IndieAuth protocol different. But what about the endpoints themselves? I know we mirrored e.g. scope and state on OAuth for selfauth. Is an IndieAuth authentication-endpoint === an OAuth authentication-endpoint?
#
aaronpk
yeah pretty much
#
Zegnat
That would make IndieAuth really just a specified discovery protocol, and that means we can severely cut down /IndieAuth
#
aaronpk
which is why we can keep referring to that part of the spec for that part https://tools.ietf.org/html/rfc6749#section-3.1
#
aaronpk
the IndieAuth spec does a couple things on top of OAuth 2.0 core
#
aaronpk
1) specifies discovery of the required endpoints given a profile URL
#
aaronpk
2) specifies how token endpoints and authorization endpoints can interoperate
tantek joined the channel
#
Zegnat
And IndieAuth.com-the-service is an authorization endpoint that wraps RelMeAuth, correct?
#
aaronpk
it's two things
#
aaronpk
1) it's an authorization endpoint that uses relmeauth instead of registration
#
aaronpk
2) it's a wrapper around relmeauth that has a protocol that happens to look like an OAuth 2 authorization endpoint
schmarty and [jemostrom] joined the channel
#
tantek
!tell gRegorlove I think https://indieweb.org/events/2017-07-12-homebrew-website-club looks pretty good for replicating forward to August. What do you think?
#
Loqi
Ok, I'll tell them that when I see them next
#
tantek.com
edited /events/2017-07-26-homebrew-website-club (+111) "/* San Francisco */ indie event, FB event, RSVP inline as well"
(view diff)
tbbrown, sl007, tantek, tantek_ and eli_oat joined the channel
#
ben_thatmustbeme
lol "IndieAuth.com-the-service" that sounds like an interesting name IndieAuth.com-the-service.com
[jeremycherfas], [pfefferle] and [miklb] joined the channel